Добавил:

Upload Опубликованный материал нарушает ваши авторские права? Сообщите нам.

Вуз:

Балтийский федеральный университет им. И.Канта

Предмет:

[НЕСОРТИРОВАННОЕ]

Файл:

Internet.Security

.pdf

Скачиваний:

Добавлен:

10.02.2015

Размер:

3.75 Mб

Скачать

☆

<<< < Предыдущая 16 17 18 19 20 21 22 23 24 25 26 2728 / 4328 29 30 31 32 33 34 35 36 37 38 39 40 > Следующая >>>

250 INTERNET SECURITY

			A			B			C	D

IV			67452301		efcdab89			98badcfe		10325476
H [(K ipad)\|\|M]			4f556d1d		62d021b7			6db31022		00219556
H [(K opad)\|\|			b1c3841c		73b63dff			1a22d4bd		f468e7b4
H [(K ipad)\|\|M]]
HMAC – MD5 = 0 x b1c3841c 73b63dff 1a22d4bd f468e7b4
	The alternative operation for computation of either HMAC – MD5 or HMAC – SHA-1
is described in the following:
1.	Append zeros to K to create a b-bit string K , where b = 512 bits.
2.	XOR K (padding with zero) with ipad to produce the b-bit block.
3.	Apply the compression function f(IV, K ipad) to produce (IV)i = 128 bits.
4.	Compute the hash code h with (IV)i				and Mi.	Y
5.						Y
5.	Raise the hash value computed from step 4 to a b-bit string.
6.					L			b-bit block.
6.	XOR K (padded with zeros) with opad to produce the							b-bit block.
7.	Apply the compression function f(IV, KF’ opad) to produce (IV)0 = 128 bits.
8.	Compute the HMAC with (IV)o and the raised hash value resulting from step 5.
				M
Figure 7.3 shows the alternative scheme based on the above steps.
			A
Example 7.2			E
		T
HMAC – SHA-1 computation using alternative method:
Data: 0x 7104f218 a3192e65 1cf7025d 8011bf79 4a19
Key: 0x 31fa7062 c45113e3 2679fd13 53b71264

			A		B		C		D	E

IV			67452301		efcdab89		98badcfe		10325476	c3d2e1f0
f [(K ipad), IV] = (IV)i			c6edf676		ef938cee		84dd1b00		5b3be996	cb172ad4
H [M, (IV)i]			f75ebdde		df6b486e		796daefd		e9cadc38	6bb33c7d
f [(K opad), IV] = (IV)o			a46e7eba		64c80ca4		c42317b3		dd2b4f1e	81c21ab0
H [H [M, (IV)i], (IV)o]			ee70e949		d7439e60		7865108b		6325235f	e220024e

HMAC – SHA-1 = 0x ee70e949 d7439e60 7865108b 6325235f e220024e

7.2 IP Authentication Header

The IP AH is used to provide data integrity and authentication for IP packets. It also provides protection against replays. The AH provides authentication for the IP header, as well as for upper-level protocol (TCP, UDP) data. But some IP header ﬁelds may change in transit and the sender may not be able to predict the value of these ﬁelds when

Team-Fly®

	NETWORK LAYER SECURITY					251
K
					M


			b	b		b	b = 512 bits
Padding			b	b		b
Padding		M0		M1	...	ML−1

K′ = 512 bits

ipad

Mi, i = 0,1, ..., L−1

IV 160 bits (SHA-1)

128 bits (MD5)

K′

opad

IV 160 bits (SHA-1) 128 bits (MD5)

f	(IV)i	H
f	160 bits (SHA-1)	H
	160 bits (SHA-1)
	128 bits (MD5)

h = 160 bits (SHA-1) 128 bits (MD5)

Padding

b = 512 bits

(IV)0

160 bits (SHA-1)

128 bits (MD5)

HMAC(M )

Figure 7.3 Alternative operation of HMAC computation using either MD5 or SHA-1 (message length computation based on M only).

the packet arrives at the receiver. Thus, the protection provided to the IP header by AH is somewhat piecemeal. The AH can be used in conjunction with ESP or with the use of tunnel mode. Security services can be provided between a pair of hosts, between a pair of security gateway or between a security gateway and a host. The ESP provides a conﬁdentiality service. The primary difference between the authentication provided by ESP and AH is the extent of the coverage. ESP does not protect any IP header ﬁelds unless these ﬁelds are encapsulated by ESP (tunnel mode). The current key management options required for both AH and ESP are manual keying and automated keying via IKE. Authentication is based on the use of an MAC or the Integrity Check Value (ICV) computation so that two hosts must share a secret key.

7.2.1 AH Format

The IPsec AH format is shown in Figure 7.4. The following six ﬁelds comprise the AH format:

• Next header (8 bits): This ﬁeld identiﬁes the type of the next payload after the AH. The value of this ﬁeld is chosen from the set of IP numbers deﬁned in the Internet Assigned Number Authority (IANA).

252 INTERNET SECURITY

Next header	Payload length	Reserved
(8 bits)	(8 bits)	(16 bits)

Security Parameters Index (SPI)

(32 bits)

Sequence number (32 bits)

Authentication data (variable)

Figure 7.4 IPsec AH format.

• Payload length (8 bits): This ﬁeld speciﬁes the length of the AH in 32-bit words, minus 2. The default length of the authentication data ﬁeld is 96 bits, or three 32-bit words. With a three-word ﬁxed header, there are a total of six words in the header, and the payload length ﬁeld has a value of 4.

• Reserved (16 bits): This ﬁeld is reserved for future use. It must be set to ‘zero’.

•SPI (32 bits): This ﬁeld uniquely identiﬁes the SA for this datagram, in combination with the destination IP address and security protocol (AH).

The set of SPI values in the range 1 – 255 is reserved by the IANA for future use. The SPI value of zero (0) is reserved for local, implementation-speciﬁc use. A key management implementation may use the zero SPI value to mean ‘No Security Association Exists’ during the period when the IPsec implementation has requested that its key management entity establish a new SA, but the SA has not yet been established.

•Sequence number (32 bits): This ﬁeld contains the monotonically increasing counter value which provides an anti-replay function. Even if the sender always transmits this ﬁeld, the receiver need not act on it, i.e. processing of the sequence number ﬁeld is at the discretion of the receiver. The sender’s counter and the receiver’s counter are initialised to zero when an SA is established. The ﬁrst packet sent using a given SA will have a sequence number of 1. The sender increments the sequence number for this SA and inserts the new value into the sequence number ﬁeld.

If anti-replay is enabled, the sender checks to ensure that the counter has not cycled before inserting the new value in the sequence number ﬁeld. If the counter has cycled, the sender will set up a new SA and key. If the anti-replay is disabled, the sender does not need to monitor or reset the counter. However, the sender still increments the counter and when it reaches the maximum value, the counter rolls over to zero.

•Authentication data (variable): This ﬁeld is a variable-length ﬁeld that contains the Integrity Check Value (ICV) or MAC for this packet. This ﬁeld must be an integral

NETWORK LAYER SECURITY

253

multiple of 32-bit words. It may include explicit padding. This padding is included to ensure that the length of AH is an integral multiple of 32 bits (IPv4) or 64 bits (IPv6).

7.2.2 AH Location

Either AH or ESP is employed in two ways: transport mode or tunnel mode. The transport mode is applicable only to host implementations and provides protection for upper-layer protocols. In the transport mode, AH is inserted after the IP header and before an upperlayer protocol (TCP, UDP or ICMP), or before any other IPsec header that may have already been inserted.

In the IPv4 context, AH is placed after the original IP header and before the upper-layer protocol TCP or UDP. Note that an ICMP message may be sent using either the transport mode or the tunnel mode. Authentication covers the entire packet, excluding mutable ﬁelds in the IPv4 header that are set to zero for MAC computation. The positioning of AH transport mode for an IPv4 packet is illustrated in Figure 7.5(a).

In the IPv6 context, AH should appear after hop-to-hop, routing and fragmentation extension headers. The destination options extension header(s) could appear either before or after AH, depending on the semantics desired. Authentication again covers the entire packet, excluding mutable ﬁelds that are set to zero for MAC computation. The positioning of AH transport mode for an IPv6 packet is illustrated in Figure 7.5(b).

Tunnel mode AH can be employed in either hosts or security gateways. When AH is implemented in a security gateway to protect transit trafﬁc, tunnel mode must be used. In tunnel mode, the inner IP header carries the ultimate source and destination addresses, while an outer IP header may contain different IP addresses (i.e. addresses of ﬁrewalls or other security gateways). In tunnel mode, AH protects the entire inner IP packet, including the entire inner IP header. The position of AH in tunnel mode, relative to the outer IP header, is the same as for AH in transport mode. Figure 7.5(c) illustrates AH tunnel mode positioning for typical IPv4 and IPv6 packets.

7.3 IP ESP

The ESP header is designed to provide security services in IPv4 and IPv6. ESP can be applied alone, in combination with the IP AH or through the use of tunnel mode. Security services are provided between a pair of hosts, between a pair of security gateways or between a security gateway and a host.

The ESP header is inserted after the IP header and before the upper-layer protocol header (transport mode) or before an encapsulated IP header (tunnel mode).

ESP is used to provide conﬁdentiality (encryption), data authentication, integrity and anti-replay service, and limited trafﬁc ﬂow conﬁdentiality. Conﬁdentiality could be selected independent of all other services. However, use of conﬁdentiality without integrity/ authentication may subject trafﬁc to certain forms of active attacks that undermine the conﬁdentiality service. Data authentication and integrity are joint services offered as an option with conﬁdentiality. The anti-replay service is chosen only if data origin authentication

254				INTERNET SECURITY

IPv4	orig IP hdr		TCP		Data
IPv4	(any options)		TCP		Data
	(any options)

		Before applying AH

		Authenticated except for mutable fields
		Authenticated except for mutable fields

IPv4	orig IP hdr		AH		TCP	Data
IPv4	(any options)		AH		TCP	Data
	(any options)

		After applying AH
	(a) AH transport mode for an IPv4 packet

IPv6

IPv4

IPv6

orig IP hdr

ext hdrs

TCP

Data

(if any)

Before applying AH

Authenticated except for mutable fields

orig IP hdr

hop-by-hop, dest,

dest

TCP

Data

routing, fragment

After applying AH

(b) AH transport mode for an IPv6 packet

Authenticated except for mutable fields in the new IP hdr

new IP hdr

orig IP hdr

TCP

Data

Authenticated except for mutable fields in the new IP hdr and its extension headers

new IP hdr	ext	AH	orig IP	ext	TCP	Data
new IP hdr	hdrs	AH	header	headers	TCP	Data
	hdrs		header	headers

Figure 7.5 Transport mode and tunnel mode for AH authentication.

is selected and the service is effective only if the receiver checks the sequence number. The current key management options required for both AH and ESP are manual keying and automated keying via IKE.

7.3.1 ESP Packet Format

Figure 7.6 shows the format of an ESP packet and the ﬁelds in the header format are deﬁned in the following.

NETWORK LAYER SECURITY

255

	Security Parameters Index (SPI)
	(32 bits)
	Security number
	(32 bits)
	Payload data (variable)
	Padding (0−255 bytes)
	Pad length	Next header
	Pad length	(8 bits)
		(8 bits)
	Authentication data (variable)

Plaintext =

Payload data || Padding ||

Pad length || Next header

= multiple number of 4 bytes

Figure 7.6 IPsec ESP format.

• SPI (32 bits): The SPI is an arbitrary 32-bit value that uniquely identiﬁes an SA for this datagram. The set of SPI values in the range 1 – 255 is reserved by the IANA for future use. The SPI ﬁeld in the ESP packet format is mandatory and always present.

•Sequence number (32 bits): This ﬁeld contains a monotonically increasing counter value. This provides an anti-replay function. It is mandatory and is always present even if the receiver does not elect to enable the anti-replay service for a speciﬁc SA. If anti-replay is enabled, the transmitted sequence number must not be allowed to cycle. Thus, the sender’s counter and the receiver’s counter must be reset prior to the transmission of the 232nd packet on an SA.

•Payload data (variable): This variable-length ﬁeld contains data described by the next header ﬁeld. The ﬁeld is an integral number of bytes in length. If the algorithm requires an initialisation vector (IV) to encrypt payload, then this data may be carried explicitly in the payload ﬁeld. Any encryption algorithm that requires such IP data must indicate the length, structure and location of this data by specifying how the algorithm is used with ESP. For some IP-based modes of operation, the receiver treats the IP as the start of the ciphertext, feeding it into the algorithm directly.

•Padding: This ﬁeld for encryption requires several factors:

–If an encryption algorithm requires the plaintext to be a multiple number of bytes, the padding ﬁeld is used to ﬁll the plaintext to the size required by the algorithm. The plaintext consists of the payload data, pad length and next header ﬁeld, as well as the padding (see Figure 7.6)

–Padding is also required to ensure that the ciphertext terminates on a 32-bit boundary. Speciﬁcally, the pad length and next header ﬁelds must be right aligned

256	INTERNET SECURITY

within a 32-bit word to ensure that the authentication data ﬁeld is aligned on a 32-bit boundary.

The sender may add 0 – 255 bytes of padding. Inclusion of the padding ﬁeld in an ESP packet is optional, but all implementations must support the generation and consumption of padding. For the purpose of ensuring that either the bits to be encrypted are a multiple of the algorithm’s blocksize or the authentication data is aligned on a 32-bit boundary, the padding is applied to the payload data exclusive of the IV, the pad length and next header ﬁelds.

The padding bytes are initialised with a series of integer values such that the ﬁrst padding byte appended to the plaintext is numbered 1, with subsequent padding bytes following a monotonically increasing sequence: 1, 2, 3, . . .. When this padding scheme is employed, the receiver should inspect the padding ﬁeld. Any encryption algorithm requiring padding must deﬁne the padding contents, while any required receiver must process these padding bytes in specifying how the algorithm is used with ESP. In such circumstances, the encryption algorithm and mode selected will determine the content of the padding ﬁeld. Subsequently, a receiver must inspect the padding ﬁeld and inform senders of how the receiver will handle the padding ﬁeld.

•Pad length: This ﬁeld indicates the number of pad bytes immediately preceding it. The range of valid values is 0 – 255, where a value of 0 indicates that no padding bytes are present. This ﬁeld is mandatory.

• Next header (8 bits): This ﬁeld identiﬁes the type of data contained in the payload data ﬁeld, i.e. an extension header in IPv6 or an upper-layer protocol identiﬁer. The value of this ﬁeld is chosen from the set of IP numbers deﬁned by the IANA. The next header ﬁeld is mandatory.

•Authentication data (variable): This is a variable-length ﬁeld containing an ICV computed over the ESP packet minus the authentication data. The length of this ﬁeld is speciﬁed by the authentication function selected. The ﬁeld is optional and is included only if the authentication service has been selected for the SA in question. The authentication algorithm must specify the length of the ICV and the comparison rules and processing steps for validation.

7.3.2 ESP Header Location

Like AH, ESP is also employed in the two transport or tunnel modes. The transport mode is applicable only to host implementations and provides protection for upper protocols, but not the IP header. In the transport mode, ESP is inserted after the IP header and before an upper-layer protocol (TCP, UDP or ICMP), or before any other IPsec headers that have already been inserted.

In the IPv4 context, ESP is placed after the IP header, but before the upper-layer protocol. Note that an ICMP message may be sent using either the transport mode or the tunnel mode. Figure 7.7(a) illustrates ESP transport mode positioning for a typical IPv4 packet, on a before and after basis. The ESP trailer encompasses any padding, plus the pad length, and next header ﬁelds.

NETWORK LAYER SECURITY

257

IPv4

orig IP hdr

TCP

Data

(any options)

Before applying ESP

Authenticated except for mutable fields

IPv4

orig IP hdr

ESP

TCP

Data

ESP

(any options)

hdr

Trailer

Auth

Encrypted

Authenticated

After applying ESP

(a) ESP transport mode for an IPv4 packet

IPv6

orig IP hdr

ext hdrs

TCP

Data

(if any)

Before applying ESP

Authenticated

Encrypted

IPv6

orig IP hdr

hop-by-hop, dest,

ESP

dest

TCP

Data

ESP

routing, fragment

hdr

opt

Trailer

Auth

After applying ESP

(b) ESP transport mode for an IPv6 packet

Authenticated

Encrypted

IPv4

new IP hdr

ESP

orig IP hdr

TCP

Data

ESP

(any options)

hdr

(any options)

Trailer

Auth

Authenticated

Encrypted

IPv6

new IP hdr

new ext

ESP

orig

orig ext

TCP

Data

ESP

hdrs

hdr

IP hdr

hdrs

Trailer

Auth

Figure 7.7 Transport mode and tunnel mode for ESP authentication.

In the IPv6 context, the ESP appears after hop-by-hop, routing and fragmentation extension headers. The destination options extension header(s) could appear either before or after the ESP header depending on the semantics desired. However, since ESP protects only ﬁelds after the ESP header, it is generally desirable to place the destination options header(s) after the ESP header. Figure 7.7(b) illustrates ESP transport mode positioning for a typical IPv6 packet.

Tunnel mode ESP can be employed in either hosts or security gateways. When ESP is implemented in a security gateway to protect subscriber transit trafﬁc, tunnel mode must be used. In tunnel mode, the inner IP header carries the ultimate source and destination

258	INTERNET SECURITY

addresses, while an outer IP header may contain different IP addresses such as addresses of security gateways. In tunnel mode, ESP protects the entire inner IP packet, including the entire inner IP header. The position of ESP in tunnel mode, relative to the outer IP header, is the same as for ESP in transport mode. Figure 7.7(c) illustrates ESP tunnel mode positioning for typical IPv4 and IPv6 packets.

7.3.3 Encryption and Authentication Algorithms

ESP is applied to an outbound packet associated with an SA that calls for ESP processing. The encryption algorithm employed is speciﬁed by the SA, as is the authentication algorithm.

7.3.3.1Encryption

ESP is designed for use with symmetric algorithms like a triple DES in CBC mode. However, a number of other algorithms have been assigned identiﬁers in the DOI document. These algorithms for encryption are: RC5, IDEA, CAST and Blowﬁsh.

For encryption to be applied, the sender encapsulates the ESP payload ﬁeld, adds any necessary padding, and encrypts the result (i.e. payload data, padding, pad length and next header). The sender encrypts the ﬁelds (payload data, padding, pad length and next header) using the key, encryption algorithm, algorithm mode indicated by the SA and an IV (cryptographic synchronisation data). If the algorithm to be encrypted requires an IV, then this data is carried explicitly in the payload ﬁeld. The payload data ﬁeld is an integral number of bytes in length. Since ESP provides padding for the plaintext, encryption algorithms employed by ESP exhibit either block or stream mode characteristics.

The encryption is performed before the authentication and does not encompass the authentication data ﬁeld. The order of this processing facilitates rapid detection and rejection of replayed or bogus packets by the receiver, prior to decrypting the packet. Therefore, it will reduce the impact of service attacks. At the receiver, parallel processing of packets is possible because decryption can take place in parallel with authentication. Since the authentication data is not protected by encryption, a keyed authentication algorithm must be employed to compute the ICV.

Referring to Figure 7.8, the 3DES – CBC mode requires an IV that is the same size as the block size. The IV is XORed with the ﬁrst plaintext block before it is encrypted. For successive blocks, the previous ciphertext block is XORed with the current plaintext before it is encrypted. Triple DES, known as DES – EDE3, processes each block three times, each time with a different key. Therefore, the triple DES algorithm has 48 rounds. In DES – EDE3-CBC, an IV is XORed with the ﬁrst 64-bit plaintext block (P1).

Some cipher algorithms allow for a variable-sized key (RC5), while others only allow a speciﬁc key size (DES, IDEA).

7.3.3.2Decryption

The receiver decrypts the ESP payload data, padding, pad length and next header using the key, encryption algorithm, algorithm mode and IV data. If explicit IV data is indicated, it

NETWORK LAYER SECURITY

K1	E	K1	E	K1
K1	E	K1	E	K1

K2	D	K2	D	K2
K2	D	K2	D	K2

Figure 7.8 DES – EDE3 – CBC algorithm.

259

is taken from the payload ﬁeld and input to the decryption algorithm. If implicit IV data is indicated, a local version of the IV is constructed and input to the decryption algorithm.

The exact steps for reconstructing the original datagram depend on the mode (transport or tunnel) and are described in the Security Architecture document. The receiver processes any padding as given in the encryption algorithm speciﬁcation. For transport mode, the receiver reconstructs the original IP datagram from the original IP header plus the original upper-layer protocol information in the ESP payload ﬁeld. For tunnel mode, the receiver reconstructs the tunnel IP header plus the entire IP datagram in the ESP payload ﬁeld.

If authentication has been computed, veriﬁcation and decryption are performed serially or in parallel. If performed serially, then ICV or MAC veriﬁcation should be performed ﬁrst. If performed in parallel, veriﬁcation must be completed before the decrypted packet is passed on for further processing. This order of processing facilitates rapid detection and rejection of replayed or bogus packets by the receiver.

7.3.3.3Authentication

The authentication algorithm employed for the ICV computation is speciﬁed by the SA. For communication between two points, suitable authentication algorithms include Keyed Message Authentication Codes (MACs) based on symmetric encryption algorithms (i.e. DES) or on one-way hash function (i.e. MD5 or SHA-1). For multicast communication, one-way hash algorithms combined with asymmetric signature algorithms are appropriate.

<<< < Предыдущая 16 17 18 19 20 21 22 23 24 25 26 2728 / 4328 29 30 31 32 33 34 35 36 37 38 39 40 > Следующая >>>

Соседние файлы в предмете [НЕСОРТИРОВАННОЕ]

#
31.07.201940.86 Кб13Informatika_2011.docx
#
21.11.2019368.64 Кб7inf_selfwork.doc
#
27.11.2019103.94 Кб6Institut_konfiskatsii_v_zarubezhnykh_stranakh.doc
#
10.02.201513.28 Mб25intel_v10_full_final.pdf
#
10.02.20156.96 Mб13InterAction_Noyabr_2013.pdf
#
10.02.20153.75 Mб29Internet.Security.pdf
#
10.02.201588.58 Кб65inzhiniring.doc
#
22.12.2018128.51 Кб10iogp_zachet_1.doc
#
22.08.20198.55 Mб10ISE_WP.docx
#
10.02.2015772.41 Кб31issledovanie_roli_fin1.docx
#
10.02.20157.36 Mб21ISSLEDOVATEL_SKAYa_2.doc